Overview

overview

10

Static

static

10

DCRatBuild.exe

windows10-1703-x64

10

DCRatBuild.exe

windows10-2004-x64

10

DCRatBuild.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    49s
  • max time network
    59s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-04-2024 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DCRatBuild.exe

  • Size

    3.8MB

  • MD5

    3da1cda32190d9ba346889a7df20c952

  • SHA1

    f26a7f5ece93071f40b8cf3c5cf74af1e7589797

  • SHA256

    84d18110d3087cb912cc8cdcc3dae4e4ed4d0a4d20b514291eb7958590960607

  • SHA512

    540a4c0372ce6a8e6b651b7aaad62d9a119cf8a6589a50cab1a83c2eec6c52ac9e662f789e06ab196bbac82766cfc74b0a177fc94fe944de206c7100b2d929c6

  • SSDEEP

    98304:yQ8b58R7g9ksxqxTqIlyOBYFF+2hvc8Tf:58b5gc6TqjFFL

Score
10/10
zgratpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
    persistence
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fonthostdll\ZxYhCBKjdxZObPEn9rwvPOXpSTg7EbRJyULpGWziJq.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4620
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\fonthostdll\cDjK63EiRnHUwKm2BmlGhi2Z7Zsm9LN.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\fonthostdll\ChainSurrogateAgentSaves.exe
          "C:\fonthostdll/ChainSurrogateAgentSaves.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4132
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mho25pwq\mho25pwq.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1792
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES700F.tmp" "c:\Windows\System32\CSC454ADE0B1AE64937B2F89E8B039B522.TMP"
              6⤵
                PID:3516
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KJmiizqnd0.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4484
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1296
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  6⤵
                    PID:4380
                  • C:\Program Files\Microsoft Office 15\ClientX64\smss.exe
                    "C:\Program Files\Microsoft Office 15\ClientX64\smss.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\ShellExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4264
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\ShellExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4492
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\ShellExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\Saved Pictures\ShellExperienceHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1856
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\ShellExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Pictures\Saved Pictures\ShellExperienceHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 6 /tr "'C:\fonthostdll\ApplicationFrameHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\fonthostdll\ApplicationFrameHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:816
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 14 /tr "'C:\fonthostdll\ApplicationFrameHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3812
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:524
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4700
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2460

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\KJmiizqnd0.bat
          Filesize

          231B

          MD5

          e31ae9d342e446160fb03085bed7dd6c

          SHA1

          24b0897531b963dd466ec871e1b87fa33329e959

          SHA256

          adc02138d690d03c071cc2e9693af80032cbef0c907797c516abbf937f5b9b9d

          SHA512

          cce611cb2712bc8882c98498264ed5e80b67fd150cf6256717a7eeb31dbcedf04bfe924f4a3ac5834858132012f0a4fcba944d7a50db76ab03caeeaf42dc49d3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES700F.tmp
          Filesize

          1KB

          MD5

          27aa4a5b476f79affff950e72117df2b

          SHA1

          e63334a6b12260abcbd69dcb932a59916c3f8a6d

          SHA256

          eab73fd3a479ad4dcfd334ff5ad4effebfe18e6118388924920d712ffdc3af2a

          SHA512

          a79100b58dfca6c4e8f3ea1b0e66d0eb2d5ced8ee07b0254822a77162c34814df969e2494957bc3fa3582a9c4a4d6910e013a83e45dd011f82bb6a643fe31a97

          Download Submit

        • C:\fonthostdll\ChainSurrogateAgentSaves.exe
          Filesize

          3.5MB

          MD5

          fbcc1d265e960f799d44f2b41f494b63

          SHA1

          89a7cb2b74d65cadf96e18af1f317c296eea6261

          SHA256

          6fb0005df41defdc5866dd4ff3c590925d2ea1ad51176412a905f1e850698318

          SHA512

          ca3cd33aa7746b4d9372c7f6d919da3605bf84f6fb86f9a57dcad71731ddac570ba7a0505b7b435d58e75596ec96ebddae5124b566924802756a9e298ce64632

          Download Submit

        • C:\fonthostdll\ZxYhCBKjdxZObPEn9rwvPOXpSTg7EbRJyULpGWziJq.vbe
          Filesize

          220B

          MD5

          f5975f5e04426d677d03382c3d5f9f65

          SHA1

          40a2df9165257acacffdecb7d1cdfe6ee09bb57b

          SHA256

          43e307995b3688d72c71bf0d3715178d944a6560dac01925d35df847cff05163

          SHA512

          c221fe1e51eceffaab0bb46209f0368a62d8ba1e983c78dd0f9f8f0f482a59432e543f9a836fc0f33d92e2ef2bb49c088e868563f6dfea4a5af22ce57862a390

          Download Submit

        • C:\fonthostdll\cDjK63EiRnHUwKm2BmlGhi2Z7Zsm9LN.bat
          Filesize

          106B

          MD5

          9ff96846900e41d5f9f9c291b8efea33

          SHA1

          b581cd1d80e5a6eb01e062d438435ade5c6ed22a

          SHA256

          0a8dcc94b789d4a5f442701f4842935d83e9e14e9bd42b60d1ac221b21f5c13c

          SHA512

          a3f4ce62d1cadeb3b4e6f5467d661d82430a7c98bc8c3eef8b208a0703ad03206120a367a7f2783a49b30f4db4679025a1de0ed10aefcf408d4012e991e5f368

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\mho25pwq\mho25pwq.0.cs
          Filesize

          384B

          MD5

          b563f060e70c77e71f687924bb677e5d

          SHA1

          9e6f82cdf89a83a97102281ff58594c2b7eb5b91

          SHA256

          877ff7954373f4f971fb90791da1a5b1dea6e5983d63b27cdbe091a472ae496e

          SHA512

          37040eab78bf197641e6860905cbdb0d686d7b6a2e3f2c3bbe4bf15515b8e7d2d5cc4f062b3fca566bace46f95cb2f4f88f15e36842484411a735663dbe2725a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\mho25pwq\mho25pwq.cmdline
          Filesize

          235B

          MD5

          d637636785f220d1a6e226bd857b00a3

          SHA1

          ade1e028025e56550c70d8288ffc2ab7cbcdac1e

          SHA256

          edf147756fbcb2e76d83f2420660865c3bbc54548cc6cfa71f6adf82f257b421

          SHA512

          3c6e0bd05ebbd261330ed9a0e61ce8bc642bf17a37455d718c532b398b2954dce4b031af90a0828e57039005279971fe69497c5182fbd6991e76fc04094d9cbc

          Download Submit

        • \??\c:\Windows\System32\CSC454ADE0B1AE64937B2F89E8B039B522.TMP
          Filesize

          1KB

          MD5

          6d2e1afd58a144bc17ed280b510c7ca8

          SHA1

          8f0802f6a4e75cd6870573a8e8ed51c634ef5653

          SHA256

          09d6068e26bfa3a6148b45d54c66d9f8ca9e8792869d7b22da28aa73373e0895

          SHA512

          5a3622b68416e2190f1fa793319f4b4813e0000ed67452e1a7716e8726488d1e929f5ff0a6f299d7132054de84aace4b21d3b5e2ea939da050cb65076b76a1de

          Download Submit

        • memory/4132-39-0x000000001BB90000-0x000000001BBA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4132-48-0x000000001BC10000-0x000000001BC6A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/4132-27-0x0000000001570000-0x0000000001580000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4132-29-0x0000000001580000-0x0000000001590000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4132-31-0x0000000002E90000-0x0000000002E9E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4132-33-0x000000001B7C0000-0x000000001B7D2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4132-35-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4132-37-0x000000001BB70000-0x000000001BB86000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4132-23-0x00000000014D0000-0x00000000014E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4132-40-0x000000001C0E0000-0x000000001C606000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4132-42-0x000000001B7B0000-0x000000001B7BE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4132-44-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4132-46-0x000000001BB50000-0x000000001BB60000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4132-25-0x000000001B780000-0x000000001B798000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4132-50-0x000000001BB60000-0x000000001BB6E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4132-52-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4132-54-0x000000001BBC0000-0x000000001BBCE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4132-56-0x000000001BBF0000-0x000000001BC08000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4132-58-0x000000001BCC0000-0x000000001BD0E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/4132-21-0x000000001BB00000-0x000000001BB50000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4132-20-0x0000000002E70000-0x0000000002E8C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4132-18-0x00000000014C0000-0x00000000014CE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4132-16-0x0000000002E40000-0x0000000002E66000-memory.dmp

          Filesize

          152KB

          Download

        • memory/4132-86-0x000000001C040000-0x000000001C0DE000-memory.dmp

          Filesize

          632KB

          Download

        • memory/4132-14-0x0000000000880000-0x0000000000C08000-memory.dmp

          Filesize

          3.5MB

          Download

        • memory/4996-112-0x000000001C500000-0x000000001C59E000-memory.dmp

          Filesize

          632KB

          Download